More on ISO 19011

The ISO 19011:2011 auditing standard has a new name, “Guidelines for Auditing Management Systems”. The prior edition, ISO 19011:2002, limited its audit guidance to just quality and environmental systems.

The new standard has broadened its scope to the auditing of any management system, but has reduced its focus to internal (first-party) and supplier (second-party) audits. Requirements for management system certification (third-party) audits are provided in ISO 17021:2011 (see my March 2011 article).

ISO 19011:2011 provides guidance on:

  • Management of an audit program
  • Planning and conducting an audit
  • Competence and evaluation of auditors and teams

The guidance is intended to be flexible. Its use can differ based on:

  • Size and maturity level of the management system
  • Nature and complexity of organization to be audited
  • Objectives and scope of the audit to be conducted

The standard introduces the concept of risk to auditing:

  • Risk of the audit process not achieving its objectives
  • Potential for an audit to interfere with the auditee activities

ISO 19011:2011 does not give guidance on an organization’s risk management process, but it does recognize an organization can focus its audit effort on matters of significance to the management system.

Clause 3 sets out the key terms and definitions used in ISO 19011:2011. Clause 4 describes the principles on which auditing is based. These principles are important in understanding the guidance provided in Clauses 5 to 7.

Clause 5 provides guidance on establishing and managing an audit program, establishing the audit program objectives, and coordinating auditing activities. Clause 6 provides guidance on planning and conducting an audit of a management system. Clause 7 provides guidance relating to the competence and evaluation of management system auditors and audit teams.

Annex A illustrates the application of the guidance in Clause 7 to different disciplines. After Annex A.1, General, the disciplines with examples are:

A.2 Transportation safety
A.3 Environmental management
A.4 Quality management
A.5 Records management
A.6 Resilience, security, preparedness, and continuity management
A.7 Information security management
A.8 Occupational health and safety management

Annex B provides additional guidance for auditors on planning and conducting audits.

B.1 Applying audit methods (remote and onsite)
B.2 Conducting document review
B.3 Sampling (judgment and statistical)
B.4 Preparing work documents
B.5 Selecting sources of information
B.6 Guidance on visiting the auditee’s location
B.7 Conducting interviews
B.8 Audit findings

As mentioned in my December 2011 article on ISO 19011:2011, the main differences of the second edition compared to the first edition are:

  • Expanded from 38 pages to 56 pages, a 47%size increase
  • Relationship between ISO 19011 and ISO 17021 has been clarified
  • Remote audit methods and the concept of risk have been introduced
  • Confidentiality has been added as a new principle of auditing
  • Clauses 5, 6, and 7 have been reorganized and expanded upon
  • Competence determination and evaluation process has been strengthened
  • Examples of discipline-specific knowledge and skills are in new Annex A
  • Additional information is in new Annex B, resulting in removal of help boxes

Our onsite ISO 9001:2008 Internal Auditor has been updated for the new ISO 19011:2011 standard. To see the course description, go to this web page.